Did Russian Hackers Crash Skype? 108
An anonymous reader sends us to the www.xakep.ru forum where a poster claims that the worldwide Skype crash was caused by Russian hackers (in Russian). The claim is that they found a local buffer overflow vulnerability caused by sending a long string to the Skype authorization server. You can try Google's beta Russian-to-English translation, but the interesting part is the exploit code, and that's more readable in the original. The Washington Post reports that Skype has denied this rumor.
Re:IN SOVIET RUSSIA (Score:4, Funny)
The code snippet seems to be wrong (Score:4, Informative)
Re:The code snippet seems to be wrong (Score:5, Funny)
Re: (Score:2, Funny)
Re: (Score:2)
Re:The code snippet seems to be wrong (Score:4, Informative)
Re: (Score:1)
Re:The code snippet seems to be wrong (Score:4, Informative)
Re: (Score:2)
Re:The code snippet seems to be wrong (Score:4, Informative)
Re:The code snippet seems to be wrong (Score:5, Funny)
Re: (Score:1, Redundant)
Re:The code snippet seems to be wrong (Score:5, Informative)
Re: (Score:3, Funny)
In Soviet Russia idiots abuse you !
Look (Score:4, Interesting)
Re: (Score:2, Informative)
The following code snippets assume pszSrc is smaller or equal to 50 chars
// Example #1
// Example #2
// Example #3
// Example #4
// Example #5
Re: (Score:2)
Re: (Score:1)
oh, lighten up (no pun intended).
Re: (Score:3, Insightful)
It's really that simple. Every specification which explains strncpy() says as much.
Using strncpy() as specified is infinitely safer than using a function which blindly copies characters forever irrespective of your buffer size.
Posting five examples of "the author doesn't understand C arrays or strncpy()" isn't an argument for strncpy() being horrifically unsafe, it's an argument that for every single programming cons
Re: (Score:1, Troll)
int *p;
*p = 5;
Amazing, isn't it?
Yes, it does make sense to learn how to use a programming language before using it. It's possible to use most <string.h> functions in an unsafe way - so what? The point is that some functions are inherently unsafe (strlen, strcpy) whereas some can actually be safe, if one knows how to use them, of course.
What do you mean "safety pin"? I just pricked myself!
Re: (Score:2)
The problem with those examples isn't strncat. It's that whoever wrote them had a very poor understanding of C.
Tards who don't learn the language they're writing in are going to write buggy code no matter what language they use. You're complaining about the wrong thing.
Re:Look (Score:4, Insightful)
Really, though. If you need the buffer space, you need the buffer space. Truncation is usually not an option. This is sloppy coding, but not due to lack of using 'n' functions. Resize as needed or reject the request if it gets too big.
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
#define strlcat(dst, src, size) snprintf(size, dest, "%s", src)
Aren't you usually better off dynamically allocating these things anyway? asprintf works well. Python works better yet.
Re: (Score:2)
#define strlcpy(dst, src, size) snprintf((size), (dst), "%s", (src))
#define strlcat(dst, src, size) snprintf((size) - strlen(dst), (dst) + strlen(dst), "%s", (src))
Re: (Score:1)
Re: (Score:1)
Translation (Score:5, Informative)
"The reason for yesterday's downtime of the Skype network is research of Russian crackers, as reported by one of our readers.
While searching for a local buffer overflow, a possibility was found to send a long string to the server, overflowing its buffer and causing the server to go down. Its place is taken by another server from the P2P network, the error arises on it in the same way, and so on. As a result, the entire Skype network refused service for several hours and the developer team was forced to turn off authentication.
Here's the exploit code:"
Re:Translation (Score:5, Informative)
Anyway, your version is probably a little better, so I'll contribute with something else. The script is very short too, so here it is: The first page of comments seems to be just the usual bunch of trolls, assholes, and simply useless posts, except for one that claims the code has been shown not to do anything on a dedicated security site [securitylab.ru]. The Skype article on the front page doesn't contain any additional information. The attack looks almost too simple to work, but I wasn't able to find any strong evidence that would suggest that it doesn't, at least not with a few quick searches.
Skype has to change for eavesdropping law (Score:4, Interesting)
From what little I know about Skype, the network can cause both parties in a Skype-Skype call to route through a third party, a supernode (this is done to defeat firewall complications). So perhaps they would be able to start routing all USA-international traffic through in-house supernodes where the stream could be tapped. (Anyone want to correct me? Clarify?)
Re: (Score:2)
This approach allows picking up traffic between two ids of interest to someone with a suitable request. If some unspecified USA institution wants to know all conversations between XXXZZZ in Russia and ZZZXCC in France they can do it and there is dickshit any of these can do about it besides stopping to use Skype.
By the way, personally, I think that Skype has had that for a very long time and it is indeed bogus coding of the auth module t
Re: (Score:2)
AFAIK the surveillance Skype could do up to this point was only at a POTS interface (SkypeOut or SkypeIn). Otherwise, the P2P calls were 'secure' with only the source & dest identities and call length being known to 3rd parties.
Re: (Score:1)
Not enough that my boiler leaks, now you made my head spin. International. I'd say.
Re: (Score:2)
You remind me of my mother. Every time she hears a click on the phone, she thinks it's the CIA spying on her.
What she doesn't seem to get is that the CIA isn't some kid hanging from her drainpipe and fiddling with alligator clips. When they listen in on your phone, you
Re: (Score:3, Insightful)
Unless, of course, they want her to know about it, in order to encourage self-censorship.
Again, you're assuming that secrecy is desired. It is
Re: (Score:2)
So, of COURSE the NSA can tap POTS lines without callers having the slightest suspicion. But as soon as the connections become IP-IP (and P2P) with strong modern encryption, then they are sent flat on their asses. In Skype's case nothing will help them with that signal other than a significa
Re: (Score:2)
1) Uncrackable my ass.
2) What on earth makes you think that the only way to make these changes is to knock the whole system offline for two days? I cannot conceive of any situation in which that would be necessary or even helpful.
Re: (Score:2)
2) Because nothing like it has been done before, and eBay (the parent company) has been knocked offline for nearly as long even after attempting far more trivial changes to their auction system.
Skype originally only had to provide access to the POTS interfaces because that's all that CALEA covered; and that was easy since POTS is unencrypted and its already been don
Re: (Score:2)
1) No one has a shred of evidence that Skype is still using the crypto that they had audited years ago. Or, really, that they ever were.
2) Huh? Nothing like adding auditing and tapping to a data stream has ever been done before? I don't even know how you can say that.
Re: (Score:2)
2) It can't be simple tapping. But I will concede that an MITM attack would be similar to what Skype would ostensibly need to do to enable eavesdropping. The problem is, implemented full-scale, integrated with their normal services, there would likely be some major mistakes/glitches and IMO its proba
Re: (Score:1)
Lost in translation (Score:1)
They hired DoS specialists against their own users (Score:4, Interesting)
Re:They hired DoS specialists against their own us (Score:1, Funny)
Re: (Score:1)
schtasks
adjust for timezone and make sure to have wget installed, then you can read it offline when you come back another time
Re:They hired DoS specialists against their own us (Score:1)
I`ll be there.
*marks calander*
Re:They hired DoS specialists against their own us (Score:2)
Re: (Score:3, Informative)
Why don't you switch to an open protocol which might not be so flakey?
If anyone has had good experiences with alternatives to Skype, that are multi-platform and support voice conferencing of 4-8 people, please let me know!
Set up a CallWeaver server. I use CallWeaver as my server and Ekiga as my softphone and it works fine (also a UTStarCom F1000G as a WiFi phone, but I have all sorts of problems with that owing to UTStarCom's flakey firmware which they
Re: (Score:1)
Agreed, odd things happen from time to time. However:
Never observed this -- maybe your contact was "invisible"?
Re:They hired DoS specialists against their own us (Score:3, Funny)
I bet Slashdot wouldn't be prepared for all of its users connecting at the same time, either. But it needs not to. It is never going to happen (why should it?)
I believe you are discounting the possibility of the actuality of Natalie Portman and Hot Grits.
Re:They hired DoS specialists against their own us (Score:4, Insightful)
This is a pretty good example of why centralised network topologies such as Skype, MSN, etc. are a really Bad Idea. It doesn't take much to take down the entire network.
SIP, XMPP, SMTP, etc are all examples of distributed topologies - there is centralised service required(*) for these networks - if one service provider's network falls over it only affects a small number of users rather than taking out *all* the users using that protocol.
(* Yes, they all require the root name servers, but these days the root name server architecture is pretty resillient through the use of technologies such as anycase. Certainly a lot more resillient than any one organisation could hope to achieve for their own propriatory protocols).
They should have been prepared for the case, that whenever their network would be down for whatever reason all clients would try to connect concurrently!
This is not really a question of preparation - it's a question of a sensible network design. The Skype network (and most other propriatory services) is a flawed design _because_ they want to have control of every aspect of the network. Open protocols are generally designed to allow interoperation of independent autonomous networks so an outage of this magnetude is pretty much impossible.
Typo... (Score:2)
there is centralised service required
Clearly I meant *NO* centralised service required
fake? (Score:5, Informative)
Re: (Score:2)
It's OK folks! (Score:3, Funny)
it was Yetis! (Score:1, Funny)
coincidence? (Score:5, Informative)
Another Soviet Russia comment (Score:2, Funny)
These coding arguments are funny (Score:1)
Re: (Score:2)
You're not a coder are you?
What really happened !!! (Score:2, Interesting)
a "big Brother" agency, for the purpose of installing "Big Brother" software on both the
server(s) and eventually the clients (because now a trojan is installed) into everyone's
system with a "knock knock" protocol that would activate a "wiretap" to capture your
voice, images, and text. That's why we had to DL that "new copy" they wanted us to have.
Now I know you folks think I'm full if shit... I hope the heck I am but
Re: (Score:2)
Name Change (Score:1)
Skype and Patriot act maybe not hackers? (Score:1, Interesting)
Re: (Score:3, Informative)
Correcting you because your "Facts" are wrong. (Score:1)
Just watch the Skype blogs... (Score:3, Informative)
Re: (Score:3, Insightful)
Then you know it's true; nobody's ever lied on a blog before.
Re: (Score:2)
It was Microsoft's fault (Score:1)
According to a Register report, "Patch Tuesday update triggered Skype outage".
"Skype has blamed last week's prolonged outage on the effects of Microsoft's Patch Tuesday.
The latest security update from Microsoft required a system reboot. The effect of so many machines rebooting and subsequently trying to log onto the Skype VoIP network triggered system instability and a prolonged outage of almost two days starting on Thursday1. Services have now being restored."
http://www.theregister.co.uk/2007/08/ [theregister.co.uk]
Re: (Score:3, Funny)
Re: (Score:1)
Re: (Score:1, Offtopic)
Re: (Score:1)
Re: (Score:2)
And it's also why all the jobs are in the USA?
Re: (Score:2, Funny)